Exploit Chain Analysis Framework
Framework for analyzing multi-vulnerability exploit chains in advanced attacks.
Continue your mission
Framework for analyzing multi-vulnerability exploit chains in advanced attacks.
# Exploit Chain Analysis Framework
Exploit Chain Analysis is a structured methodology for modeling how multiple vulnerabilities, combined in deliberate sequence, produce attack outcomes that no individual vulnerability could achieve alone. The framework exists because vulnerability management programs built on single-vulnerability scoring systematically underestimate risk: a medium-severity authentication bypass and a low-severity path traversal, treated in isolation, may each receive low remediation priority, yet together they produce unauthenticated remote code execution. Chain analysis solves the gap between how defenders score vulnerabilities and how attackers actually use them, enabling prioritization decisions grounded in realistic attack paths rather than abstract severity ratings.
---
An exploit chain is a structured sequence of vulnerability exploitations in which each stage enables, amplifies, or unlocks the next, with the final stage achieving the attacker's primary objective. The chain is defined by its dependency structure: stage N must succeed before stage N+1 becomes exploitable. This dependency relationship distinguishes exploit chains from vulnerability clusters (multiple vulnerabilities in the same component that are not sequentially dependent) and from compound vulnerabilities (a single flaw with multiple impact categories, such as a buffer overflow that produces both denial-of-service and code execution).
Exploit Chain Analysis is the systematic process of mapping these dependency relationships, assessing the feasibility of each link, identifying architectural controls capable of severing individual links, and integrating chain-level risk into prioritization decisions.
The scope of the framework covers several distinct chain subtypes. Sequential chains involve strict linear dependency: each step must complete before the next begins, as seen in most browser-to-kernel zero-click attacks. Branching chains offer multiple paths to the same objective, meaning that blocking one path leaves others open. Nested chains embed one chain inside another, often seen in complex enterprise compromises where initial access triggers a second chain for lateral movement. Opportunistic chains are assembled dynamically by attackers who adapt their path based on what they find during reconnaissance.
The framework does not replace vulnerability scoring systems such as CVSS. It operates above them, using base scores as inputs while adding relational context. Chain analysis also does not model social engineering sequences or purely procedural attack steps that do not involve technical vulnerability exploitation. Those fall under separate kill chain and TTPs modeling frameworks. The distinction is important: chain analysis is specifically concerned with technical vulnerability dependencies, not attacker behavior patterns in general.
---
Exploit chain analysis proceeds through five operational phases: chain discovery, link characterization, dependency mapping, break-point analysis, and control recommendation.
Phase 1: Chain Discovery
Chain discovery begins by identifying candidate vulnerability clusters: sets of vulnerabilities that share a target system, a component, or a data flow pathway. Sources include threat intelligence reports, vendor advisories, public proof-of-concept disclosures, and internal vulnerability scan data. The analyst asks a directional question for each vulnerability: "What capability does successful exploitation of this vulnerability grant an attacker, and what does that capability unlock?" This question transforms a flat list of CVEs into a directed graph where edges represent capability transitions.
Phase 2: Link Characterization
Each link in the chain is characterized along three dimensions. Exploitability describes the technical difficulty of successfully exploiting the vulnerability under real-world conditions, accounting for authentication requirements, network position, interaction requirements, and availability of public exploit code. Reliability describes the probability that exploitation produces the expected capability gain rather than a crash, detection event, or partial result. Prerequisite specificity describes how narrowly the preceding link must succeed: some links require exact output from the prior stage; others are satisfied by any of several possible outputs, making the chain more robust.
Phase 3: Dependency Mapping
The dependency map is the core analytical artifact. It is a directed acyclic graph in which nodes represent vulnerabilities and edges represent capability transitions. Each node is annotated with its exploitability score, its role in the chain (entry, pivot, escalation, execution), and its position relative to defensive controls. The graph makes visible which nodes are shared across multiple chains (high-priority targets for remediation) and which nodes represent single points of failure that, if disrupted, collapse the entire chain.
Phase 4: Break-Point Analysis
Break-point analysis identifies which links in the chain are most feasibly severed. Feasibility is assessed across three control categories: patching (removing the vulnerability from the environment), compensating controls (network segmentation, input validation, privilege restrictions that prevent exploitation without removing the vulnerability), and detection controls (monitoring that identifies exploitation attempts at a specific chain link and triggers response before subsequent links execute). The most valuable break points combine high chain criticality (many chains pass through this link) with high control feasibility (the compensating control is deployable without significant operational disruption).
Phase 5: Control Recommendation
The framework concludes with prioritized control recommendations mapped to specific chain links. Recommendations are expressed as: "Breaking link X prevents chains A, B, and C; the recommended control is Y; implementation effort is Z." This format provides security and operations teams with actionable, risk-ranked work items.
Concrete Scenario: ProxyLogon/ProxyShell Exchange Exploitation
The ProxyLogon chain (CVE-2021-26855 combined with CVE-2021-27065) illustrates the framework in practice. CVE-2021-26855 is a server-side request forgery vulnerability in Microsoft Exchange that allows an unauthenticated attacker to send crafted HTTP requests that the Exchange server processes as if they originated from the Exchange backend, effectively bypassing authentication. Alone, this produces an authentication bypass: the attacker gains the ability to impersonate any Exchange user. CVE-2021-27065 is a post-authentication arbitrary file write vulnerability. Alone, it requires authentication and produces a file write primitive: significant but constrained. In chain: the SSRF provides the authentication context that satisfies the prerequisite for the file write; the file write is used to place a webshell in a web-accessible directory; the webshell provides unauthenticated remote code execution. CVSS scores for the individual vulnerabilities, assessed in isolation, would not capture the combined severity. Break-point analysis on this chain identifies three intervention points: blocking external access to the Exchange autodiscover endpoint (severs the SSRF link), patching CVE-2021-26855 (removes the entry vulnerability), and monitoring for anomalous file writes to Exchange web directories (detects exploitation at the escalation link before the webshell executes).
---
Security teams operating without chain analysis routinely make two categories of prioritization errors. The first is over-prioritizing high-CVSS vulnerabilities that are not chainable in the actual environment and therefore present lower realized risk than their score implies. The second, more dangerous category is under-prioritizing low-to-medium severity vulnerabilities that serve as essential links in active exploit chains. Both errors produce misallocated remediation effort.
The business impact of these errors compounds over time. Patch cycles are finite resources. When teams chase high scores rather than high chain criticality, vulnerabilities that attackers are actively chaining into functional exploits remain unpatched while resources flow toward vulnerabilities that require conditions not present in the environment. This is not a theoretical concern: the 2021 Hafnium campaign against Exchange exploited the ProxyLogon chain within days of public disclosure, compromising tens of thousands of organizations worldwide. Many of those organizations had patched higher-CVSS vulnerabilities in the same quarter while leaving Exchange internet-exposed with the components of the ProxyLogon chain unaddressed.
A persistent misconception is that chain analysis is only relevant for zero-day or nation-state threats. In practice, commodity ransomware groups have adopted chain techniques extensively. The Clop ransomware operation's exploitation of MOVEit Transfer (2023) combined a SQL injection vulnerability with file access primitives to produce mass data exfiltration across hundreds of organizations. This was not sophisticated nation-state tradecraft; it was a two-link chain assembled from a single product's vulnerability surface and executed at industrial scale.
A second misconception is that architectural controls are a fallback when patching is infeasible. Chain analysis demonstrates that architectural controls are often primary controls: network segmentation that prevents an attacker from reaching the pivot link breaks the chain regardless of whether the pivot vulnerability is patched. This reframes defensive investment decisions, shifting priority toward controls that break chains structurally rather than controls that address individual vulnerabilities in isolation.
Without chain analysis, vulnerability management programs are operating with an incomplete model of risk. They are answering the question "how severe is this vulnerability?" when the operationally relevant question is "what attack paths does this vulnerability enable, and how do those paths interact with our environment?"
---
CDA approaches Exploit Chain Analysis as a core component of Predictive Defense Intelligence (PDI), operating under the principle of "See the threat before it sees you." Within the Planetary Defense Model (PDM), this framework sits at the intersection of the Threat Intelligence Domain (TID) and the Vulnerability and Security Data Domain (VSD), reflecting that effective chain analysis requires both adversarial intelligence (how attackers select and sequence vulnerabilities) and precise vulnerability data (what vulnerabilities exist in the environment and what capability each grants).
CDA's operational differentiation lies in the directional integration of these two domains. Standard vulnerability management programs pull data from VSD and score it independently of TID. CDA's methodology runs the analysis in the opposite direction as well: starting from observed adversary TTPs documented in threat intelligence, mapping backward to identify which vulnerability combinations in the client environment could satisfy those TTPs, and surfacing chains that match active threat actor patterns before exploitation occurs.
In practice, this means CDA analysts maintain chain templates derived from threat intelligence reporting. When a new vulnerability is disclosed, it is immediately evaluated not only for its standalone CVSS score but for its fit into existing chain templates. A new authentication bypass in a widely deployed VPN product is assessed against chain templates for initial-access-to-lateral-movement and initial-access-to-ransomware-deployment. If the new vulnerability satisfies the entry link in an active chain template associated with a tracked threat actor, it receives elevated priority regardless of its base score.
CDA also emphasizes chain-aware detection engineering. Rather than deploying detections at the final execution stage only (when attacker objectives are already achieved), CDA recommends detection coverage at each intermediate chain link, particularly pivot and escalation links. This approach converts chain analysis from a prioritization tool into a detection architecture input, producing monitoring rules that identify exploitation attempts at the earliest feasible stage.
The PDI methodology treats exploit chains as predictive models: a known chain structure, combined with intelligence indicating that a threat actor is targeting the relevant technology, constitutes a forward-looking risk indicator that warrants proactive control deployment before any exploitation event is observed.
---
---
---
CDA Theater missions that address topics covered in this article.
Lazarus Group is North Korea's primary advanced persistent threat operation, operating under the RGB (Reconnaissance General Bureau), the DPRK's primary foreign intelligence service.
Salt Typhoon is a Chinese state-sponsored advanced persistent threat (APT) group that conducts signals intelligence collection operations against telecommunications infrastructure.
Evidence collection, chain of custody, forensic imaging, and analysis techniques for incident investigations.
Written by CDA Editorial
Found an issue? Help improve this article.